Configure Your Identity Provider (IdP)

IdP Requirements

To use SAML with Faspex, you must already have an identity provider (IdP) that meets the following requirements:

IdP Metadata Formats

You must configure formats to set up your IdP to work with Faspex:
Tag Format
NameID Format Faspex supports the following formats:
  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • urn:oasis:names:tc:SAML:1.1:nameid-format:transient
  • urn:oasis:names:tc:SAML:1.1:nameid-format:persistent
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Entity ID https://faspex_ip/aspera/faspex/auth/saml/metadata/saml_id
Binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Callback URL https://faspex_ip/aspera/faspex/auth/saml/callback?id=saml_id

If the IdP is capable of reading SAML XML metadata for a service provider, you can upload a saved XML metadata file to configure the IdP. You can retrieve the XML metadata for an existing Faspex by going to https://faspex_ip/aspera/faspex/auth/saml/metadata/saml_id and saving the XML file.

Note: The saml_id specifies the SAML configuration. For example, in the case of multiple SAML configurations, the first configuration is associated with the SAML ID "1", the next configuration "2", and so on.

SAML Assertion Requirements

Faspex expects assertion from an IdP to contain the following elements:

Default Attribute Faspex User Field Required
NameID Username Yes
email Email address Yes
given_name First name Yes
surname Last name Optional
member_of SAML group Necessary for SAML groups
Note: Some IdPs may refer to the NameID attribute as SAML_SUBJECT.
Tip: You can configure the Faspex user fields to map to different attributes in the Faspex SAML configuration settings.